[yocto] [meta-security 1/3] meta-integrity: rename IMA_EVM_BASE to INTEGRITY_BASE
Dmitry Eremin-Solenikov
dbaryshkov at gmail.com
Sun Jul 28 08:31:48 PDT 2019
From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov at mentor.com>
data/debug-keys will be reused for demo modsign keys, so rename
IMA_EVM_BASE to more generic INTEGRITY_BASE.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov at mentor.com>
---
meta-integrity/README.md | 12 ++++++------
meta-integrity/classes/ima-evm-rootfs.bbclass | 2 +-
meta-integrity/conf/layer.conf | 6 +++---
.../recipes-core/images/integrity-image-minimal.bb | 2 +-
4 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 5bef76e8dcd4..4607948781e2 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -74,7 +74,7 @@ compilation of the Linux kernel. To also activate it when building
the image, enable image signing in the local.conf like this:
INHERIT += "ima-evm-rootfs"
- IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+ IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
This uses the default keys provided in the "data" directory of the layer.
Because everyone has access to these private keys, such an image
@@ -96,7 +96,7 @@ for that are included in the layer. This is also how the
# In that shell, create the keys. Several options exist:
# 1. Self-signed keys.
- $IMA_EVM_BASE/scripts/ima-gen-self-signed.sh
+ $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh
# 2. Keys signed by a new CA.
# When asked for a PEM passphrase, that will be for the root CA.
@@ -104,11 +104,11 @@ for that are included in the layer. This is also how the
# only creating new certificates does. Most likely the default
# attributes for these certificates need to be adapted; modify
# the scripts as needed.
- # $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh
- # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh
+ # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh
+ # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh
# 3. Keys signed by an existing CA.
- # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
+ # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
exit
When using ``ima-self-signed.sh`` as described above, self-signed keys
@@ -169,7 +169,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd
changes. To activate policy loading via systemd, place a policy file
in `/etc/ima/ima-policy`, for example with:
- IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple"
+ IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple"
To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements`
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index 8aec388dffed..d6ade3bf914f 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -1,7 +1,7 @@
# No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be
# set explicitly in a local.conf before activating ima-evm-rootfs.
# To use the insecure (because public) example keys, use
-# IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+# IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET"
# Private key for IMA signing. The default is okay when
diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
index 917aa86e11d7..1d31edd9b151 100644
--- a/meta-integrity/conf/layer.conf
+++ b/meta-integrity/conf/layer.conf
@@ -13,13 +13,13 @@ BBFILE_PRIORITY_integrity = "6"
# Set a variable to get to the top of the metadata location. Needed
# for finding scripts (when following the README.md instructions) and
# default debug keys (in ima-evm-rootfs.bbclass).
-IMA_EVM_BASE := '${LAYERDIR}'
+INTEGRITY_BASE := '${LAYERDIR}'
# We must not export this path to all shell scripts (as in "export
-# IMA_EVM_BASE"), because that causes problems with sstate (becames
+# INTEGRITY_BASE"), because that causes problems with sstate (becames
# dependent on location of the layer). Exporting it to just the
# interactive shell is enough.
-OE_TERMINAL_EXPORTS += "IMA_EVM_BASE"
+OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
LAYERSERIES_COMPAT_integrity = "warrior"
# ima-evm-utils depends on keyutils from meta-security
diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb
index 6ed724df2267..e1bc6ffa0ed7 100644
--- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb
+++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb
@@ -17,6 +17,6 @@ inherit core-image
export IMAGE_BASENAME = "integrity-image-minimal"
INHERIT += "ima-evm-rootfs"
-IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb"
--
2.20.1
More information about the yocto
mailing list